Jump to content
Froxlor Forum
  • 0

Keine Zertifikatserstellung möglich - Unknown SSL protocol error


Go to solution Solved by j4mb4l4j4,

Question

Hallo, ich hätte eine Frage da ich aktuell in folgendes Problem laufe.

Froxlor version: 0.9.39.5 (DB: 201805290)

Meine Domains bekommen aktuell keine neuen Zertifikate mehr, da der Cronjob der die Letsencrypt Zertifikate erzeugt einen Fehler wirft.
Gemäß Syspanel bekomme ich die Meldung (customer = mein Kunde, my.domain.com = meine Domain):

25.03.19 18:51:38 	error 	customer 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
25.03.19 17:48:28 	error 	froxlor.panel 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
25.03.19 17:35:04 	error 	customer 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server
25.03.19 16:47:52 	error 	froxlor.panel 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
25.03.19 16:43:53 	error 	froxlor.panel 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server
25.03.19 16:43:53 	error 	customer 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
25.03.19 16:30:27 	error 	froxlor.panel 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server
20.03.19 16:55:42 	error 	froxlor.panel 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Could not resolve host: acme-v02.api.letsencrypt.org
20.03.19 16:50:50 	error 	customer 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Could not resolve host: acme-v02.api.letsencrypt.org
20.03.19 16:50:20 	error 	froxlor.panel 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Operation timed out after 0 milliseconds with 0 out of 0 bytes received
09.03.19 16:12:36 	error 	customer 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server
09.03.19 14:52:02 	error 	customer 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server
01.03.19 14:54:10 	error 	customer 	Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
01.03.19 05:30:01 	error 	customer 	Could not get Let's Encrypt certificate for my.domain.com: Curl: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Leider bekomme ich wenn ich folgenden Befehl ausführe auch keine Meldung, es hängt einfach und passiert nix:

root@server:/var/run# php -q /var/www/my.domain.com/scripts/froxlor_master_cronjob.php --letsencrypt --debug
[information] Updating Let's Encrypt certificates
[information] Updating my.domain.com
[information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate
[information] letsencrypt-v2 Using existing account key
[information] letsencrypt-v2 Starting certificate generation process for domains
[information] letsencrypt-v2 Requesting challenge for my.domain.com

Leider sehe ich keine weitere Möglichkeit zum Debugging.

Wo müsste ich ansetzen um mehr Logs zu bekommen, bzw. kennt jemand den Fehler und kann mir sagen was ich falsch mache ?
Irgendwie verstehe ich nicht was das Problem ist.

Auf einem anderen Server mit anderer IP und Froxlor habe ich genau das gleiche Problem.

Ich kann erfolgreich pingen und telnetten:

root@server:/var/run# telnet acme-v02.api.letsencrypt.org 443
Trying 2a02:26f0:eb:186::3a8e...
Connected to e14990.dscx.akamaiedge.net.
Escape character is '^]'.
^CConnection closed by foreign host.

 

ssl-settings-froxlor.png

Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0

1) aktualisiere auf 0.9.40.1

2) nutze lieber ACMEv1

3) prüfe ob dein Apache Fehler ausgibt

4) wenn ich den Fehler richtig interpretiere mag der let's encrypt server das tls1.0 nicht, aber probiere es erstmal mit Punkt 2

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Similar Content

    • By logicbloke
      Hi,
      I'm just wondering what the difference is between the following 2 folders:
      Why is froxlor installing acme.sh cron everytime it runs at 3am everyday especially since the 5-min let's encrypt froxlor cron is already in place? Also, all my db config points to /etc/ssl/froxlor-custom for the domains and all keys/certificates inside that folder have a different md5 from the ones under /root/.acme.sh/, so I'm wondering what's with the mismatch? Are we updating certificates for domains twice?
       
      If anyone can shed some more light on this, it will be very much appreciated.
       
      Many thanks!
    • By Michael Groß
      Hallo zusammen,
      ich kämpfe momentan mit der SSL Konfiguration von meinem Froxlor-Server.
      Bedauerlicherweise befindet sich der Webserver hinter einer Firewall und hat eine private IP Adresse zugewiesen bekommen. 
      Die Firewall leitet entsprechend den Traffic von außerhalb auf den Server weiter (HTTP ist das alles kein Problem).
      Nun habe ich vorhin SSL aktivieren wollen und hierzu kann ich leider keine private IP Adresse eintragen (lässt Froxlor nicht zu).
      Entsprechend habe ich die public IP eingetragen, was aber auch nicht funktioniert, da durch das NAT der Firewall die private IP angesprochen wird - somit funktioniert dies nicht.
      Habt ihr eine Idee, wie man das umbauen kann?
      An sich brauche ich nur die private IP Adresse als SSL Adresse eintragen - vermute aber, dass dadurch Let's Encrypt auch nicht mehr richtig laufen wird.
      Viele Grüße
      Michael
      PS: Ein 1:1 NAT wäre noch eine Möglichkeit, da ich die Public IP aber für diverse Server verwende, fällt das auch raus. Müsste dann eine neue Public IP kaufen, welche ich dann mit einem 1:1 NAT auf den Webserver laufen lasse (wäre noch eine Möglichkeit)
    • By nisamudeen97
      Hi,
      Our froxlor server is behiend NAT and it uses the local IP  192.168.73.40.  We have enabled letsencrypt module in froxlor and tried validating SSL for a domain in the server.  SSL generation is getting failed with 403 error.  See the debug log information.      Replaced domain name and main IP.    Can any one help me regarding the issue.
       
      [information] Updating Let's Encrypt certificates [information] Updating domain-name.com [information] Adding SAN entry: domain-name.com [information] Adding SAN entry: www.domain-name.com [information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate [information] letsencrypt-v2 Using existing account key [information] letsencrypt-v2 Starting certificate generation process for domains [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order [information] letsencrypt-v2 Requesting challenge for domain-name.com [information] letsencrypt-v2 Got challenge token for domain-name.com [information] letsencrypt-v2 Token for domain-name.com saved at /var/www/froxlor/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k and should be available at http://domain-name.com/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [information] letsencrypt-v2 Sending request to challenge [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/803008408/k46kFQ [information] letsencrypt-v2 Verification pending, sleeping 1s [information] letsencrypt-v2 Verification pending, sleeping 1s [error] Could not get Let's Encrypt certificate for domain-name.com: Verification ended with error: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [212.224.xxx.xxx]: \"<!DOCTYPE html>\\n<html lang=\\\"en-CA\\\" class=\\\"html_stretched responsive av-preloader-active av-preloader-enabled av-default-lightbox\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/803008408\/k46kFQ","token":"vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","validationRecord":[{"url":"http:\/\/www.domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"www.domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"},{"url":"http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"}]} [information] Let's Encrypt certificates have been updated  
    • By peterpan
      Hi,
      I have a domain equipped with a certificate from LE. The cert is valid another 2 months. Now I added a domain as an alias of the existing domain, but the certificate isn't updated to have the new domain as its SAN.
      How do I trigger getting a new and updated certificate? Should I delete the existing one?
      Thanks for helping out.
       
      Peter
    • By juca
      Hi,
      I was wondering if it possible to specify different custom configurations for HTTP and HTTPS traffic. 
      I have a couple of sites that would need to keep HTTP traffic active. Basically what I would like to do is the following:
      for HTTP:
      ProxyPreserveHost On ProxyRequests off ### HTTP Proxy AllowCONNECT 443 563 ProxyPass / http://localhost:16080/ ProxyPassReverse / http://localhost:16080/  
      for HTTPS:
      ###SSL Proxy ProxyPreserveHost On ProxyRequests off SSLProxyEngine on SSLProxyVerify none  SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass / https://localhost:16443/ ProxyPassReverse / https://localhost:16433/ is this possible?
       
×
×
  • Create New...